Zscaler ThreatLabZ has been seeing a steady increase in the Nuclear Exploit Kit (EK) traffic over the past few weeks. The detection of malicious activity performed by this EK remains low, due to usage of dynamic content and heavy obfuscation. In this blog, we will walk you through a complete Nuclear EK infection cycle with a live example. We will also share details of the identified payload, which had very low Anti-Virus (AV) detection rates.
The infection cycle begins with an unsuspecting user visiting a legitimate site that was compromised by the attackers. The compromised site in the example covered in this blog is www[.]cornwallmusiceducationhub[.]org
that further redirects the victim to the Exploit Kit hosting server [18.104.22.168]. Nuclear EK is notorious for exploiting most popular browser plugins.
The following screenshot shows the malicious iframe injected on the compromised website.
|Malicious iframe in compromised domain |
The malicious iframe leads the users to a loading site, which in this case performs a second level redirection as shown below, eventually leading the victim to the Nuclear EK's landing page.
Redirection Chain observed in our example:Compromised site :
|Redirecting to the Nuclear EK landing page |
www[.]cornwallmusiceducationhub[.]org/tag/heartlands-pool/Second level redirection site:
fluersutel[.]tecnopes[.]com[.]ar/miksopulp16[.]htmlEK Landing site:
|Redirection Chain |
The Exploit kit landing page is heavily obfuscated to evade detection by AV and Intrusion Prevention Systems as seen below:
|Landing Page |
Going further, we observed that the following three functions VV8Y6W,wL3, and Fp4Ovo
were responsible for the dynamic de-obfuscation of the EK landing page code. We have noted the action performed by each function in the following screenshot.
The following routine leverages the aforementioned functions to generate a key PluginDetect (V 0.8.8) script which we will discuss later.
Upon successful execution of the above code, the variable KKa
will store the PluginDetect script. The following code will execute the script.PluginDetect
. This library is used by the exploit kit authors to do a detailed reconnaissance of victim's browser plugins. We will walk you through various actions performed by this script before executing the exploit payload.
First the detectPlatform
function will check for the operating system running on the victim machine:
Subsequently, the script will also check the version of well-known browser plugins, which includes Java, Adobe Reader, Adobe Flash, and Silverlight.
It then leverages the XML DOM information leakage vulnerability
to enumerate through the system driver files residing in the C:\Windows\System32\drivers\ directory. If it finds any AV driver files, the script will terminate the infection cycle.
Next, the script will check for the vulnerable versions of the loaded plugins and accordingly run the identified application exploit function.
The following screenshot shows the application specific exploit functions:
Below are the exploit payloads that were getting served if the related application plugin version was found to be vulnerable by the Nuclear EK instance that we analyzed. AV detection for the payloads delivered by this variant remained poor at the time of blog publication.Silverlight Exploit:
VT: 2/55Flash Exploit:
VT: 1/55PDF Exploit:
If the exploit attempt is successful, then the EK code will silently download and install the following malware payload on the victim machine.Malware: